If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Tweeking (still) Programs Settings

Hello again Oldsod and forum,
I am still tweeking my Programs permissions and have a few more questions. I have just used some programs and 'new' browsers since my new install of ZoneAlarm Pro.. but it wasn't until today that I noticed Netscape, Opera and Firefox had established themselves automatically with Full Server permission (trusted and internet server). Are these Zone Alarm's defaults for &quot;Auto&quot; settings?
I have set these to disallow any server rights, but am curious to know if this should be a red flag - or a typical experience as Zone Alarm user.
Additionally, MSN and Windows Messenger had Server access... Windows Messenger had green checks across the board. I can't imagine this is the automatic that Zone Alarm recommends. I have disabled server access. I never use Windows messenger. I only used the afore mentioned browsers to view a web project in different browsers.
My PC is running fine,
I mostly ask as I am trying to determine if from my recent experience with exploit-byte.verify if my PC is really rid of any malware, and if any of what I mention should cause me concern.
One more... my Mouse Control Center is listed in Programs... it currently displays a row of question marks across the board. What are the recommended settings for this (em_exec.exe)?
Thank you very much,Kathy

Re: Tweeking (still) Programs Settings

Hi Kathy

Once you get more accustomed to the networking and internet and the ways of the ZA, then the Smart Defense Advisor and the Automatic settings of the ZA/ZL is not so important.

Okay if the browsers have Server for the Internet - this only needed if uploading files to servers or navigating into the router. Other than that, the Internet server is not needed. The Trusted Server is very much needed for browsers - to allow the server on the localhost (both 127.0.0.1 and 0.0.0.0) and to the dns servers (which are in the trusted zone).

The IMs such as MSN and Windows Messengers will need not only the Trusted server (same as the browsers described above) but also the Internet Server. To allow incoming connections from the messenger servers. The Internet Server can be set to Ask (blue question mark) instead of the Allow (green check) for the messengers, thus giving you a little more control as to when and where these inbound connections are established.

The exploit-byte.verify should be cleaned if the antivirus has no detections in it's scans.
I would suggest to do an online scan for a second opinion (or third for that matter). Use the Internet Explorer (these will need and install activeX), allow all in the Privacy and set the ActiveX install in the OSFirewall tab to Ask.

Mouse control (em_exec.exe) hmm....
Ok. The ZA does control not only the application directly involved in the network/internet accesses, but also the parent processes that cause the child processes to connect to the network/internet. Thus if opening a browser, the winlogon.exe, explorer.exe and the userinit.exe and probably the svchost.exe are all considered to be processes acting as a "parent" to be the cause of the individual browser to attempt connections.
Since the browser is acted upon by the those other external processes, the browser is considered to be a child (not the process in control).

[Further explaination....You clicked the browser icon or the entry in the menu for example, thus it is explorer.exe (explorer shell) acting as a parent process; the browser is started up, thus it is winlogon.exe acting as a parent process; and it is done through the user account/gui, thus it is userinit.exe acting as a parent process. All three processes will be in the Logs accessing the site(s) the browser itself accessed.

This is done this way in the ZA to provide the layer of protection required from malware from attempting to act as a parent to open child processes such as IM. browsers, email clients, updaters, or even individual windows processes to connect to the network/internet.

Some typical examples of malware attempts would be (when you are not installing or updating) a file in some Temp folder is trying to use the explore.exe or iexplore.exe to access the internet. Or maybe access the internet itself.
Or in the exploit-byte.verify situation, some file in the java cache is trying to access the internet or act as a parent to some windows process/application to access the internet or the iexplore.exe is suddenly attempting internet access.

Bear with me I getting closer to the point!]

Okay the point is ...the mouse may well be seen as a parent process by the ZA and if the mouse, for example opened a browser by clicking an
browser icon, then it's network/connection attempts would have to be allowed and it will be logged. Exactly the very same as the browser itslef would be logged or have it's alerts.
I have the same issue with the MS keyboard - the itype.exe is seen as a parent process when I use the browser's shortcut key of the keyboard. The ZA logs the connections and the itype.exe does need to have the correct accesses and servers as for the browser. I actually set the expert rules up not to log the itype.exe or do alerts, just to reduce the noise and keep my sanity (well what is left of it, anyways).

Netscape browser - still using it? It is phased out and will no longer be updated.

Re: Tweeking (still) Programs Settings

Hi again Oldsod,
I am still chewing on your previous informative posts and haven't done all of my learning/homework.
I realize that you put
your time into these replies. For me there are certain
mental firewalls (ha)
that time perhaps has worked against me on.
I think it is likely that as I go along - I may do another clean install of Zone Alarm - to get off to a better start with my Programs list. And then I am going to take advantage of some features that you mentioned... like backing up settings.
Here is one of those mental-block questions. You explained just prior about IMs/Windows Messenger. I know different folks out there use their computers in different ways. So, I'll just mention here - I never ever use Messaging, Instant Messaging, Chatrooms etc. Does Windows Messenger/IMs have another functional reason (tied to Windows needing it) that I am oblivious to? Otherwise, I would 'kill' it... as no messaging should be coming from this PC
(except email and forums).
If I set my OSF firewall to disallow changes, as noted in your earlier screen capture... such as changes to StartUp Programs, how does this affect my initiating those changes, or trusted McAfee, Windows Updates
or my wishing to remove a program from the StartUp menu? Do I need to change OSF back to allow to make or allow desired modifications/updates?
Oldsod, I'm going to have more questions... but I will try to do my homework first.
Re: Netscape... I don't really use it, I just was trying to make sure that a website displayed properly in Netscape, Opera, Firefox... as well as IE.
(I didn't know it was being phased out) My background is print design... and I now do some web work... but it is a love/hate relationship and learning curve with the technology, browsers, and things like... How is it going to look/function with Javascript off? etc.
I find various tips, tutorials, gizmos, tools, converters, related to what I do and try to be careful out there
Thank you,Kathy

Note: the sysco.inf method can be used to unstall/install other things such as fax or smtp. Just leave the others alone and do the windows messenger removal.

The OSFirewall tab concerning startups. The previous startups should be allowed and just any new startups will be stopped (if red X'ed) or it will Ask (if blue question mark is used). But personal experience says this is not so and occasionally something previously allowed can be stopped from starting up with windows. So the best choice is still the Ask and the security is intact and remains high. I would use this in the event something stopped working properly (McAfee resident scanner, etc), but it should not affect window updates (updates do not run with window's startups).

BUT if doing some immensely intense windows update like updating the internet explore or such, I would recommend to turn off the ZA, then do the "intricate" windows update and do the reboot. With the ZA starting with the windows startup. You would not believe how many users had diffculties with the Internet Explorer upgrade to version 7 just because the ZA clamped down on some of the upgrade processes involved during the update/installation.

BTW, the startups are controlled in the ZA by controlling certain Run keys in the registry and the Startup folder itself. If is it set to the Red X and some new event happens (new installation or you have activiated a previously dormant application to start with windows), then it would be better to have the Program Control slider set to Medium for "learning" the newer routine or perhaps just set the OSFirewall's Startup entry to Ask.

Checking sites/graphics with browsers....lets see Internet Explorer is Trident based, Opera is Presto based (will change to a new engine with the finalization of the present beta Kestrel), Firefox is Gecko (this will change with the finalization of the present beta, something called Gran Paradiso), Safari is KHTML based (I think, maybe that is wrong). Must be at least 100 different browsers out there now and yet more will come. How do you manage to keep up????

Re: Tweeking (still) Programs Settings

" I think it is likely that as I go along - I may do another clean install of Zone Alarm - to get off to a better start with my Programs list. And then I am going to take advantage of some features that you mentioned... like backing up settings."

No need to go through the uninstall and re-install procedure to clean up the ZA. Just do this instead:
[*]Boot your computer into the Safe Mode[*]Navigate to the c:\windows\internet logs folder[*]Delete the backup.rdb, iamdb.rdb, *.ldb and the tvDebug files in the folder[*]Clean the Recycle Bin[*]Reboot into the normal mode[*]ZA will be just like new with no previous settings or data

Or you are if in a hurry or a in panic, then do this with the ZA latest release:

1.) Hold down the Ctrl and Shift keys together
2.) Right click on the ZA icon near your clock in the system tray lower right corner
3.) Choose 'Reset' from the box that comes up
4.) Choose Yes on the Reset Settings dialog box
5.) When prompted, choose OK to restart your system
6.) Follow the on screen configuration prompts after reboot

This second method will delete only the iamdb.rdb and the backup.rdb files (the files will be recreated by the ZA on the windows bootup or restart, but empty).

Note: If the ZA is messed up and has developed bugs, then do not use a recent backup for restoration after cleaning the ZA database (or else the most recent backup could contain the same bugs and the problem(s) will still exist).

Re: Tweeking (still) Programs Settings

Hi Oldsod,
I just noticed an item I want to ask you about.As of the past hour or so, Java is showing up as an icon in the upper right corner of my Programs panel. Upon first over-reacting I started to change the permissions for all the Java entries, and then I realized it's icon is the same as Java Scheduler... so I assumed it was checking for updates, even though it didn't ask me. However when I checked out the Java control panel, it is set to check for updates on Sundays at 12 am.Meanwhile - as I downgraded Java's permissions - it still displays its icon in the top right tray. I wasn't visiting any sites, etc that called for it.Then I opened up Task Manager to see what was running and under Applications tab was something I have never seen... a little folder with &quot;si&quot; and application next to it.
I have no idea what this could be. I selected &quot;end task&quot;.I don't typically keep Task Manager open - but reopened it awhile later to see another folder displayed under applications this folder was labeled &quot;application data&quot; - status &quot;running&quot;.Currently I'm doing a full system virus scan. My PC is running fine. It is just the unknown that I is alarming me.
Do you have any explanation for the above?
Thanks,Kathy

Re: Tweeking (still) Programs Settings

Do the "mouse over" the upper right corner of the Programs panel- this will say what is the file or application. But the number of "instant" tell me what is connecting is limited. Look in the "Active" Column (narrow left side column) for a complete listing - acitve components will have an icon next to it.

Task Manager's Applications tab, just switch to the Processes tab and perhaps there would be a better description or at least a file name and a user name. A Search can be made using the exact process details.

Look in the Application Data folder under your User name in the Documents and Settings. The open the Sun folder then the Java folder then the Deployment folder. There inside the Deployment folder, should be a deployment.properties file (can be read with the Notepad) and a Temp folder file. Inside the Temp folder should be a folder named "si". This "si" folder was probaby what was seen in the Application tab of the Task Manager. Check this "si" folder contents and see if there are any records or files which can be read with the Notepad and any date or event will be helpful.

Usually if the java or adobe updater ran or started, it will continue to run until shutdown.

Next open your User name Documents and Settings, open the Local Settings folder and open the Temp folder found inside it. There maybe some Java files in here too. Maybe these to can be traced according to date/time and file extensions or opened with the Notepad.

Then open the WINDOWS\Temp folder for any files which can help in tracing the events.

Then open the Downloaded Program files in the Windows directory and check the date/time on all of the Java entries. These are .COM or activeX controls installed which will function with the Internet Explorer.

Next open the Event Viewer of the Administrative Tools (Control Panel) and have a look at the items under the Application and the System. These too have records of successful and unsucessful events which have occured on the PC. Look at the entries on the right and right click the interesting ones and open the Properties. Also the Event ID number can be helpful (the event id can be googled and many issues/problems/events can be figured out).

Still stuck? Next times this happens and something is weird is going on, just open the command and type in "netstat -ano" (without quotation marks) and then press the Enter key of the keyboard.
An "instant" (at that very moment) readout of all active events concerning networking will be displayed.
[*]The loopback or the 127.0.0.1 and the non route or the 0.0.0.0 will be displayed - these are just local or internal activities.[*] Any 192.168.x.x will be the PC/applications chatting back and forth with the router and the local network.[*] any other IPs should be internet servers/PCs

But the netstat does not list what the exact process is by file number or name, only by it's PID. The PID is in the right hand column in this readout. So open the Task Manager and then open the Processes tab. In the View, open the Select Columns and check the PID (Process Identifier) box and OK it. Now match or cross-reference the PID as seen in the command readout with the PID in the Task Manager. Now you will know what is connected and what the file name/process is and you know the exact IPs and ports involved all at the same time. Sometimes this helps.

Re: Tweeking (still) Programs Settings

Hi Oldsod,
I was just about to update my post and see you have responded...
You will be happy to hear that I actually figured out a moment ago that &quot;si&quot; is a folder under java app. It is possible that I -- while earlier viewing contents (folder was empty)
- and probably left explorer open
that
this is why &quot;si&quot; was listed. I never really noticed that open folders and certain events display under Task Manager&gt;Applications. (I thought it just listed&quot;Photoshop, and whatever else).

Meanwhile - I realized that my updating of Java did not remove the old installation of Java 1.4.2.
So - I may be wrong in doing this, but I decided to uninstall (both) the old and the &quot;6.5 update&quot; and start anew.
I haven't done that last part yet.
I see that all the old Java folders still exist in Windows Explorer. Do you think it is OK or wise?
if I delete these Java folders manually before I do a clean install of Java?
(Thank you)Kathy

Re: Tweeking (still) Programs Settings

If anything, empty the folders inside of any files after the uninstall of the java - the java will replace the folders when it installs. Usually good to find the old java installer and delete it- it will be in the Doc's and Setting folders somewhere. Don't forget the Java folder in the Java folder of the Common Files directory (also check the installation folder) along with the main Java folder (installer may be here too) in the Program Files directory.
I usually place the installer in the proper folder or directory before installing - it is a little cleaner for windows and the installation proces and I always know where the installer is stored.

Re: Tweeking (still) Programs Settings

Hi Oldsod,
If it matters - I had uninstalled Java via Add/Remove Programs. I'm Windows XP SP2... I think SP1 might be a
little different concerning the paths.

From what I can gather I have a Sun folder with subfolders off of Documents &amp; Settings\Kathy|Application Data\Sun\Java Deployment
- this one has many many subfolders... mostly empty except:
a &quot;Class&quot; file,
&quot;IDX&quot; file, &quot;Plugin142 that is a &quot;Trace file&quot; and an &quot;Auth.dat&quot;
I have no Java in CommonFiles but in C:\Program Files I have a Java Folder with one lone file buried in its
subfolders &quot;QTJava.zip&quot; that is not new and is not old... dated 2007.
If I understand you correctly, I should delete these 4 or so files, but keep the folders intact. And when I am done use CCleaner.
Correct?
I could not find ? the installer file. I believe that when I installed 6.5 from Java, it didn't place an installer - I usually save installation programs and run them. This didn't work that way.
I will check back with you. I'm thinking I will not do any installations today, but tomorrow when I've had more sleep... and stay away from heavy machinery, too
Kathy